TECHNOLOGIES &

SECURITY STANDARDS
FOR E-BANKING

Submitted to:
Resp Mr. V.S. Solanki
IPM, Faculty
Submitted by:
Group# 14
Chandan Pandey
Gita Rani
Govind Sharma
Nayya jain
Ravindra Rawani

Institute of Productivity &

Management
Meerut
TECHNOLOGIES & SECURITY STANDARDS FOR E-
BANKING

E-banking (Electronic Banking)

With advancement in information and communication technology, banking services are also
made available through computer. Now, in most of the branches you see computers being used to
record banking transactions. Information about the balance in your deposit account can be known
through computers. In most banks now a days human or manual teller counter is being replaced
by the Automated Teller Machine (ATM). Banking activity carried on through computers and
other electronic means of communication is called ‘electronic banking’ or ‘e-banking’. Let us
now discuss about some of these modern trends in banking in India.

• Automated Teller Machine

Banks have now installed their own Automated Teller Machine (ATM) throughout the country at
convenient locations. By using this, customers can deposit or withdraw money from their own
account any time.

• Debit Card
Banks are now providing Debit Cards to their customers having saving or current account in the
banks. The customers can use this card for purchasing goods and services at different places in
lieu of cash. The amount paid through debit card is automatically debited (deducted) from the
customers’ account.

• Credit Card
Credit cards are issued by the bank to persons who may or may not have an account in the bank.
Just like debit cards, credit cards are used to make payments for purchase, so that the individual
does not have to carry cash. Banks allow certain credit period to the credit cardholder to make
payment of the credit amount. Interest is charged if a cardholder is not able to pay back the credit
extended to him within a stipulated period. This interest rate is generally quite high.

• Net Banking
With the extensive use of computer and Internet, banks have now started transactions over
Internet. The customer having an account in the bank can log into the bank’s website and access
his bank account. He can make payments for bills, give instructions for money transfers, fixed
deposits and collection of bill, etc.

• Phone Banking
In case of phone banking, a customer of the bank having an account can get information of his
account, make banking transactions like, fixed deposits, money transfers, demand draft,
collection and payment of bills, etc. by using telephone .
As more and more people are now using mobile phones, phone banking is possible through
mobile phones. In mobile phone a customer can receive and send messages (SMS) from and to
the bank in addition to all the functions possible through phone banking.
Common E-Banking Services
Retail Services Wholesale Services
Account management Account management
Bill payment and
Cash management
presentment
New account opening Small business loan
applications, approvals, or
Consumer wire transfers advances
Investment/Brokerage
Commercial wire transfers
services
Loan application and
Business-to-business payments
approval
Employee benefits/pension
Account aggregation
administration

Bill payment service

You can facilitate payment of electricity and telephone bills, mobile phone, credit card and
insurance premium bills as each bank has tie-ups with various utility companies, service
providers and insurance companies, across the country. To pay your bills, all you need to do is
complete a simple one-time registration for each biller. You can also set up standing instructions
online to pay your recurring bills, automatically. Generally, the bank does not charge customers
for online bill payment.

Fund transfer
You can transfer any amount from one account to another of the same or any another bank.
Customers can send money anywhere in India. Once you login to your account, you need to
mention the payees's account number, his bank and the branch. The transfer will take place in a
day or so, whereas in a traditional method, it takes about three working days. ICICI Bank says
that online bill payment service and fund transfer facility have been their most popular online
services.

Credit card customers

With Internet banking, customers can not only pay their credit card bills online but also get a
loan on their cards. If you lose your credit card, you can report lost card online.

Railway pass
This is something that would interest all the aam janta. Indian Railways has tied up with ICICI
bank and you can now make your railway pass for local trains online. The pass will be delivered
to you at your doorstep. But the facility is limited to Mumbai, Thane, Nashik, Surat and Pune.

Investing through Internet banking

You can now open an FD online through funds transfer.Now investors with interlinked demat
account and bank account can easily trade in the stock market and the amount will be
automatically debited from their respective bank accounts and the shares will be credited in their
demat account. Moreover, some banks even give you the facility to purchase mutual
funds directly from the online banking system.
Nowadays, most leading banks offer both online banking and demat account. However if you
have your demat account with independent share brokers, then you need to sign a special form,
which will link your two accounts.

Recharging your prepaid phone

Now just top-up your prepaid mobile cards by logging in to Internet banking. By just selecting
your operator's name, entering your mobile number and the amount for recharge, your phone is
again back in action within few minutes.

Shopping
With a range of all kind of products, you can shop online and the payment is also
made conveniently through your account. You can also buy railway and air tickets through
Internet banking.
E-BANKING COMPONENTS
E-banking systems can vary significantly in their configuration depending on a number of
factors. Financial institutions should choose their e-banking system configuration, including
outsourcing relationships, based on four factors:
Strategic objectives for e-banking;
Scope, scale, and complexity of equipment, systems, and activities;
Technology expertise; and
Security and internal control requirements.
Financial institutions may choose to support their e-banking services internally. Alternatively,
financial institutions can outsource any aspect of their e-banking systems to third parties. The
following entities could provide or host (i.e., allow applications to reside on their servers) e-
banking-related services for financial institutions:
Another financial institution,
Internet service provider,
Internet banking software vendor or processor,
Core banking vendor or processor,
 Managed security service provider,
Bill payment provider,
Credit bureau, and

Website design and hosting,

Firewall configuration and management,
Intrusion detection system or IDS (network and host-based),
Network administration,
Security management,
Internet banking server,
E-commerce applications (e.g., bill payment, lending, brokerage),
Internal network servers,
Core processing system,
Programming support, and
Automated decision support systems.
These components work together to deliver e-banking services. Each component represents a
control point to consider.
Through a combination of internal and outsourced solutions, management has many alternatives
when determining the overall system configuration for the various components of an e-banking
system. However, for the sake of simplicity, this booklet presents only two basic variations.
First, one or more technology service providers can host the e-banking application and numerous
network components as illustrated in the following diagram. In this configuration, the
institution’s service provider hosts the institution’s website, Internet banking server, firewall, and
intrusion detection system. While the institution does not have to manage the daily
administration of these component systems, its management and board remain responsible for
the content, performance, and security of the e-banking system.

E-BANKING SUPPORT SERVICES

In addition to traditional banking products and services, financial institutions can provide a
variety of services that have been designed or adapted to support e-commerce. Management
should understand these services and the risks they pose to the institution. This section discusses
some of the most common support services: weblinking, account aggregation, electronic
authentication, website hosting, payments for e-commerce, and wireless banking activities.
WEBLINKING
A large number of financial institutions maintain sites on the World Wide Web. Some websites
are strictly informational, while others also offer customers the ability to perform financial
transactions, such as paying bills or transferring funds between accounts.
Virtually every website contains “weblinks.” A weblink is a word, phrase, or image on a
webpage that contains coding that will transport the viewer to a different part of the website or a
completely different website by just clicking the mouse. While weblinks are a convenient and
accepted tool in website design, their use can present certain risks. Generally, the primary risk
posed by weblinking is that viewers can become confused about whose website they are viewing
and who is responsible for the information, products, and services available through that website.
There are a variety of risk management techniques institutions should consider using to mitigate
these risks. These risk management techniques are for those institutions that develop and
maintain their own websites, as well as institutions that use third-party service providers for this
function. The agencies have issued guidance on weblinking that provides details on risks and risk
management techniques financial institutions should consider.
ACCOUNT AGGREGATION
Account aggregation is a service that gathers information from many websites, presents that
information to the customer in a consolidated format, and, in some cases, may allow the
customer to initiate activity on the aggregated accounts. The information gathered or aggregated
can range from publicly available information to personal account information (e.g., credit card,
brokerage, and banking data). Aggregation services can improve customer convenience by
avoiding multiple log-ins and providing access to tools that help customers analyze and manage
their various account portfolios. Some aggregators use the customer-provided user IDs and
passwords to sign in as the customer. Once the customer’s account is accessed, the aggregator
copies the personal account information from the website for representation on the aggregator’s
site (i.e., “screen scraping”). Other aggregators use direct data-feed arrangements with website
operators or other firms to obtain the customer’s information. Generally, direct data feeds are
thought to provide greater legal protection to the aggregator than does screen scraping.
Financial institutions are involved in account aggregation both as aggregators and as aggregation
targets. Risk management issues examiners should consider when reviewing aggregation
services include:
Protection of customer passwords and user IDs – both those used to access the institution’s
aggregation services and those the aggregator uses to retrieve customer information from
aggregated third parties – to assure the confidentiality of customer information and to prevent
unauthorized activity,
Disclosure of potential customer liability if customers share their authentication information
(i.e., IDs and passwords) with third parties, and
Assurance of the accuracy and completeness of information retrieved from the aggregated
parties’ sites, including required disclosures

PAYMENTS FOR E-COMMERCE

Many businesses accept various forms of electronic payments for their products and services.
Financial institutions play an important role in electronic payment systems by creating and
distributing a variety of electronic payment instruments, accepting a similar variety of
instruments, processing those payments, and participating in clearing and settlement systems.
However, increasingly, financial institutions are competing with third parties to provide support
services for e-commerce payment systems. Among the electronic payments mechanisms that
financial institutions provide for e-commerce are automated clearing house (ACH) debits and
credits through the Internet, electronic bill payment and presentment, electronic checks, e-mail
money, and electronic credit card payments.
Most financial institutions permit intrabank transfers between a customer’s accounts as part of
their basic transactional e-banking services. However, third-party transfers – with their
heightened risk for fraud – often require additional security safeguards in the form of additional
authentication and payment confirmation.

Bill Payment and Presentment

Bill payment services permit customers to electronically instruct their financial institution to
transfer funds to a business’s account at some future specified date. Customers can make
payments on a one-time or recurring basis, with fees typically assessed as a “per item” or
monthly charge. In response to the customer’s electronic payment instructions, the financial
institution (or its bill payment provider) generates an electronic transaction – usually an
automated clearinghouse (ACH) credit – or mails a paper check to the business on the
customer’s behalf. To allow for the possibility of a paper-based transfer, financial institutions
typically advise customers to make payments effective 3–7 days before the bill’s due date.
Internet-based cash management is the commercial version of retail bill payment. Business
customers use the system to initiate third-party payments or to transfer money between company
accounts. Cash management services also include minimum balance maintenance, recurring
transfers between accounts and on-line account reconciliation. Businesses typically require
stronger controls, including the ability to administer security and transaction controls among
several users within the business.
This booklet discusses the front-end controls related to the initiation, storage, and transmission of
bill payment transactions prior to their entry into the industry’s retail payment systems (e.g.,
ACH, check processing, etc.). The IT Handbook’s “Retail Payments Systems Booklet” provides
additional information regarding the various electronic transactions that comprise the back end
for bill payment processing. The extent of front-end operating controls directly under the
financial institution’s control varies with the system configuration. Some examples of typical
configurations are listed below in order of increasing complexity, along with potential control
considerations.
Financial institutions that do not provide bill payment services, but may direct customers to
select from several unaffiliated bill payment providers.
Caution customers regarding security and privacy issues through the use of on-line
disclosures or, more conservatively, e-banking agreements.
Financial institutions that rely on a third-party bill payment provider including Internet
banking providers that subcontract to third parties.
Set dollar and volume thresholds and review bill payment transactions for suspicious
activity.
Gain independent audit assurance over the bill payment provider’s processing controls.
 Restrict employees’ administrative access to ensure that the internal controls limiting their
capabilities to originate, modify, or delete bill payment transactions are at least as strong as
those applicable to the underlying retail payment system ultimately transmitting the
transaction.
Restrict by vendor contract and identify the use of any subcontractors associated with the
bill payment application to ensure adequate oversight of underlying bill payment system
performance and availability.
Evaluate the adequacy of authentication methods given the higher risk associated with
funds transfer capabilities rather than with basic account access.
Consider the additional guidance contained in the IT Handbook’s “Information Security,”
“Retail Payment Systems,” and “Outsourcing Technology Services” booklets.
Financial institutions that use third-party software to host a bill payment application
internally.
Determine the extent of any independent assessments or certification of the security of
application source code.
Ensure software is adequately tested prior to installation on the live system.

Ensure vendor access for software maintenance is controlled and monitored.

Financial institutions that develop, maintain, and host their own bill payment system.
Consider additional guidance in the IT Handbook’s “Development and Acquisition
Booklet.”
Financial institutions can offer bill payment as a stand-alone service or in combination with bill
presentment. Bill presentment arrangements permit a business to submit a customer’s bill in
electronic form to the customer’s financial institution. Customers can view their bills by clicking
on links on their account’s e-banking screen or menu. After viewing a bill, the customer can
initiate bill payment instructions or elect to pay the bill through a different payment channel.
In addition, some businesses have begun offering electronic bill presentment directly from their
own websites rather than through links on the e-banking screens of a financial institution. Under
such arrangements, customers can log on to the business’s website to view their periodic bills.
Then, if so desired, they can electronically authorize the business to “take” the payment from
their account. The payment then occurs as an ACH debit originated by the business’s financial
institution as compared to the ACH credit originated by the customer’s financial institution in the
bill payment scenario described above. Institutions should ensure proper approval of businesses
allowed to use ACH payment technology to initiate payments from customer accounts.
Person-to-Person Payments
Electronic person-to-person payments, also known as e-mail money, permit consumers to send
“money” to any person or business with an e-mail address. Under this scenario, a consumer
electronically instructs the person-to-person payment service to transfer funds to another
individual. The payment service then sends an e-mail notifying the individual that the funds are
available and informs him or her of the methods available to access the funds including
requesting a check, transferring the funds to an account at an insured financial institution, or
retransmitting the funds to someone else. Person-to-person payments are typically funded by
credit card charges or by an ACH transfer from the consumer’s account at a financial institution.
Since neither the payee nor the payer in the transaction has to have an account with the payment
service, such services may be offered by an insured financial institution, but are frequently
offered by other businesses as well.
Some of the risk issues examiners should consider when reviewing bill payment, presentment,
and e-mail money services include:
Potential liability for late payments due to service disruptions,
Liability for bill payment instructions originating from someone other than the deposit
account holder,
Losses from person-to-person payments funded by transfers from credit cards or deposit
accounts over which the payee does not have signature authority,
Losses from employee misappropriation of funds held pending access instructions from the
payer, and
Potential liability directing payment availability information to the wrong e-mail or for
releasing funds in response to e-mail from someone other than the intended payee.

WIRELESS E-BANKING
Wireless banking is a delivery channel that can extend the reach and enhance the convenience of
Internet banking products and services. Wireless banking occurs when customers access a
financial institution's network(s) using cellular phones, pagers, and personal digital assistants (or
similar devices) through telecommunication companies’ wireless networks. Wireless banking
services in the United States typically supplement a financial institution's e-banking products and
services.
Wireless devices have limitations that increase the security risks of wireless-based transactions
and that may adversely affect customer acceptance rates. Device limitations include reduced
processing speeds, limited battery life, smaller screen sizes, different data entry formats, and
limited capabilities to transfer stored records. These limitations combine to make the most
recognized Internet language, Hypertext Markup Language (HTML), ineffective for delivering
content to wireless devices. Wireless Markup Language (WML) has emerged as one of a few
common language standards for developing wireless device content. Wireless Application
Protocol (WAP) has emerged as a data transmission standard to deliver WML content.
Manufacturers of wireless devices are working to improve device usability and to take advantage
of enhanced “third-generation” (3G) services. Device improvements are anticipated to include
bigger screens, color displays, voice recognition applications, location identification technology
(e.g., Federal Communications Commission (FCC) Enhanced 911), and increased battery
capacity. These improvements are geared towards increasing customer acceptance and usage.
Increased communication speeds and improvements in devices during the next few years should
lead to continued increases in wireless subscriptions.
As institutions begin to offer wireless banking services to customers, they should consider the
risks and necessary risk management controls to address security, authentication, and compliance
issues. Some of the unique risk factors associated with wireless banking that may increase a
financial institution's strategic.
Security and privacy issues of e-banking

Security-
Security of the transactions is the primary concern of the Internet-based industries. The lack
of security may result in serious damages such as the example of Citibank. examples of the
private information relating to the banking industry are: the amount of the transaction, the
date and time of the transaction, and the name of the merchant where the transaction is taking
place

While the complexity of E-Banking has grown tremendously, one should ask, how secure is E-
Banking anyway?
ELECTRONIC AUTHENTICATION
Verifying the identities of customers and authorizing e-banking activities are integral parts of e-
banking financial services. Since traditional paper-based and in-person identity authentication
methods reduce the speed and efficiency of electronic transactions, financial institutions have
adopted alternative authentication methods, including:
Passwords and personal identification numbers (PINs),
Digital certificates using a public key infrastructure (PKI),
Microchip-based devices such as smart cards or other types of tokens,
Database comparisons (e.g., fraud-screening applications), and
Biometric identifiers.
The authentication methods listed above vary in the level of security and reliability they provide
and in the cost and complexity of their underlying infrastructures. As such, the choice of which
technique(s) to use should be commensurate with the risks in the products and services for which
they control access. Additional information on customer authentication techniques can be found
in this booklet under the heading “Authenticating E-Banking Customers.”
The Electronic Signatures in Global and National Commerce (E-Sign) Act establishes some
uniform federal rules concerning the legal status of electronic signatures and records in
commercial and consumer transactions so as to provide more legal certainty and promote the
growth of electronic commerce. The development of secure digital signatures continues to
evolve with some financial institutions either acting as the certification authority for digital
signatures or providing repository services for digital certificates

Security Precautions
Customers should never share personal information like PIN numbers, passwords etc with
anyone, including employees of the bank. It is important that documents that contain confidential
information are safeguarded. PIN or password mailers should not be stored, the PIN and/or
passwords should be changed immediately and memorized before destroying the mailers.
Customers are advised not to provide sensitive account-related information over unsecured e-
mails or over the phone. Take simple precautions like changing the ATM PIN and online login
and transaction passwords on a regular basis. Also ensure that the logged in session is properly
signed out.
User name and a static password are no longer sufficient to protect an online banking session
because criminals had acquired sophisticated and complex skills that enabled them to uncover
various ways to infiltrate a system.
According to Loh, malicious programming such as Trojans, Worms and Backdoor programs
extracts financial information.
He explains that these Malwares such as Trojans have the capacity to disguise itself as a security
update to a legitimate online payment service. When the user executes the deceptively named
file, the Trojans registers itself as a browser helper (BHO) and monitors the internet browsers for
visits to pre-defined URLs. All the account information gathered by the Trojans will then be
posted on a domain controlled by the attacker. The log file is easily accessible due to some
misconfigured web server thus giving the attacker list of account numbers with corresponding
password. This provides the attackers with the information and opportunity to steal currency
from the victims.

To prevent these attacks, a combination of intrusion prevention system (IPS) and intrusion
detection systems (IDS) is required to do the job. security network information reporting tools
should be implemented so that it will alert the banks if the IPS layers has been bypassed and
network anomaly has been detected.

"Security is simply the protection of interests.

The security of information may be one of the biggest concerns to the Internet users. For
electronic banking users who most likely connect to the Internet via dial-up modem, is faced
with a smaller risk of someone breaking into their computers. Only organizations such as banks
with dedicated Internet connections face the risk of someone from the Internet gaining
unauthorized access to their computer or network. However, the electronic banking system users
still face the security risks with unauthorized access into their banking accounts. Moreover, the
electronic banking system users also concern about non-repudiability which requires a reliable
identification of both the sender and the receiver of on-line transactions. Non-secure electronic
transaction can be altered to change the apparent sender. Therefore, it is extremely important to
build in non-repudiability which means that the identity of both the sender and the receiver can
be attested to by a trusted third party who holds the identity certificates.

The Citibank $10 million break-in is one example of how the system is vulnerable to
hackers. Hackers have many different ways that they can try to break into the system. The
problem of the systems today are inherent within the setup of the communications and also
within the computers itself. The current focus of security is on session-layer protocols and the
flaws in end-to-end computing. A secure end-to-end transaction requires a secure protocol to
communicate over untrusted channels, and a trusted code at both endpoints. It is really important
to have a secure protocol because the trusted channels really don't exist in most of the
environment.
For example, downloading a game off the Internet would be dangerous because Trojan
horses and viruses could patch the client software after it is on the local disk, especially on
systems like windows 95 which does not provide access control for files. This leads to the use of
software-based protections and hardware-based protections.
Many systems today use some form of software-based protection. Software-based
protection are easily obtained at lower costs than hardware-based protection. Consequently,
software-based protection is more widely used. But, software-based protection has many
potential hazards. For software-based systems,
there are four ways to penetrate the system. First of all, attacking the encryption
algorithms is one possible approach. This form of attack would require much time and effort to
be invested to break in.
A more direct approach would be using brute force by actually trying out all possible
combinations to find the password.
A third possible form of attack is to the bank's server which is highly unlikely because
these systems are very sophisticated. This leaves the fourth possible method, which also happens
to be the most likely attack, which is to attack the client's personal computers. This can be done
by a number of ways, such as planting viruses (e.g. Trojan Horse) as mentioned above. But,
unlike the traditional viruses, the new viruses will aim to have no visible effects on the system,
thus making them more difficult to detect and easy to spread unintentionally
Solutions-
Software-Based Systems

In software-based security systems, the coding and decoding of information is done using
specialized security software. Due to the easy portability and ease of distribution through
networks, software-based systems are more abundant in the market. Encryption is the main
method used in these software-based security system. Encryption is a process that modifies
information in a way that makes it unreadable until the exact same process is reversed.

In general, there are two types of encryption. The first one is the conventional
encryption schemes, one key is used by two parties to both encrypt and decrypt the information.
Once the secret key is entered, the information looks like a meaningless jumble of random
characters. The file can only be viewed once it has been decrypted using the exact same key.

The second type of encryption is known as public key encryption. In this method, there
are two different keys held by the user: a public key and a private key. These two keys are not
interchangeable but they are complementary to each other, meaning that they exists in pairs.
Therefore, the public keys can be made public knowledge, and posted in a database somewhere.
Anyone who wants to send a message to a person can encrypt the message with the recipient
public key and this message can only be decrypted with the complementary private key

Digital Signature

Digital Signature was first proposed in 1976 by Whitfield Duffie, at Stanford University. A
digital signature transforms the message that is signed so that anyone who reads it can know who
sent it. The use of digital signatures employs a secret key (private key) used to sign messages and
a public key to verify them. The message encrypted by the private key can only be verified by
the public key. It would be impossible for any one but the sender to have created the signature,
since he or she is the only person with the access to the private key necessary to create the
signature. In addition, it is possible to apply a digital signature to a message without encrypting
it. This is usually done when the information in the message is not critical.

Secure Electronic Transaction (SET)

Secure Electronic Transaction (SET) software system, the global standard for secure card
payments on the Internet, which is defined by various international companies such as Visa
MasterCard, IBM, Microsoft, Netscape Communications Corp., GTE, SAIL, Terisa Systems and
Verisign. SET promises to secure bank-card transactions online. Lockhart, CEO of MasterCard
said, ".We are glad to work with Visa and all of the technology partners to craft SET. This action
means that consumers will be able to use their bank cards to conduct transactions in cyberspace
as securely and easily as they use cards in retail stores today." [33] SET adopts RSA public key
encryption to ensure message confidentiality. Moreover, this system uses a unique public/private
key pair to create the digital signature. The main concerns for the transaction include not only to
ensure the privacy of data in transit, but also prove the authenticity which both the sender and the
receiver are the ones they claim to be.

Pretty Good Privacy (PGP),

Pretty Good Privacy (PGP), created by Philip Zimmermann, is a "hybrid cryptosystem that
combines a public key (asymmetric) algorithm, with a conventional private key (symmetric)
algorithm to give encryption combining the speed of conventional cryptography with the
considerable advantages of public key cryptography." [20] The advantage of PGP is that it does
not require a trusted channel of transmitting the encryption key to the intended recipient of your
message

Kerberos

Kerberos is named after the three-headed watchdog of Greek mythology and it is one of the
best known private-key encryption technologies. Kerberos creates an encrypted data packet,
called a ticket, which securely identifies the user. To make a transaction, one generates the
ticket during a series of coded messages by making exchanges with a Kerberos server, which
sits between the two computer systems. The two systems share a private key with the Kerberos
server to protect information from hackers and to assure that the data has not been altered
during the transmission. One example of this encryption is NetCheque which is developed by
the Information Sciences Institute of the University of Southern California. NetCheque uses
Kerberos to authenticate signatures on electronic checks that Internet users have registered with
an accounting server.

Hardware-Based Systems

1.Smartcard-

Smartcard System is a mechanical device which has information encoded on a small chip on the
card and identification is accomplished by algorithms based on asymmetric sequences

2. McCHIP

McCHIP which developed by ESD is connected directly to the PC's keyboard using a patented
connection. All information which needs to be secured is sent directly to the McCHIP,
circumventing the client's vulnerable PC microprocessor. Then the information is signed and
transmitted to the bank in.

PRIVACY TECHNOLOGY
Privacy technology can be used to assure that consumers, merchant's, and the transactions
themselves remain confidential. For instance, companies sending important, secret information
about their marketing strategy to one of its partners would like to keep that information private
and out of the hands of its competitors. This technology will keep all information secure and can
be applied to electronic cash, also known as "e-cash". The privacy technology provides a fully
digital bearer instrument that assigns a special code to money, just like a bank note. The security
of e-cash is superior to paper cash because even if it is stolen, it can not be used. However, e-
cash has its share of disadvantages because it lacks the privacy of use. "This system is secure, but
it has no privacy. If the bank keeps track of note numbers, it can link each shop's deposit to the
corresponding withdrawal and so determine precisely where and when Alice spends her money."

This would make it possible to create spending profiles on consumers and threaten their
privacy. Furthermore, records based on digital signatures are more vulnerable to abuse than
conventional files. Not only are they self-authenticating, but they also permit a person who has a
particular kind of information to prove its existence without either giving the information away
or revealing its source. "For example, someone might be able to prove incontrovertibly that Bob
had telephoned Alice on 12 separate occasions without having to reveal the time and place of any
of the calls."

One solution to this lack of privacy is the implementation of "blind signatures". How it
works is that before sending the bank note number to the bank for signing, the user multiplies the
note number by a random factor. Consequently, the bank knows nothing about what it is signing
except that the note has a specific digital signature belonging to a person's account. After
receiving the blinded note signed by the bank the user can divide out the random factor and use it
by transferring it to a merchant's account as a payment for a merchandise. The blinded note
numbers are untraceable because the shop and the bank cannot determine who spent which notes.
This is because the bank has no way of linking the note numbers that the merchant deposited
with the purchaser's withdrawals. Whereas the security of digital signatures is dependent on the
difficulty of particular computations, the anonymity of blinded notes is limited only by the
unpredictability of the user's random numbers. The blinded electronic bank notes protect an
individual's privacy, but because each note is simply a number, it can be copied easily. To
prevent double spending, each note must be checked on-line against a central list when it is spent
which makes this verification procedure unacceptable for many applications, especially for
minor purchases. Thus, this technology currently, is only applicable for large sums of money.
INFORMATION SECURITY PROGRAM
Information security is essential to a financial institution’s ability to deliver e-banking services,
protect the confidentiality and integrity of customer information, and ensure that accountability
exists for changes to the information and the processing and communications systems.
Depending on the extent of in-house technology, a financial institution’s e-banking systems can
make information security complex with numerous networking and control issues. The IT
Handbook’s “Information Security Booklet” addresses security in much greater detail. Refer to
that booklet for additional information on security and to supplement the examination coverage
in this booklet.
SECURITY GUIDELINES
Financial institutions must comply with the “Guidelines Establishing Standards for Safeguarding
Customer Information” (guidelines) as issued pursuant to the Gramm–Leach–Bliley Act of
1999 (GLBA). When financial institutions introduce e-banking or related support services,
management must re-assess the impact to customer information under the GLBA. The guidelines
require financial institutions to:
Ensure the security and confidentiality of customer information;
Protect against any anticipated threats or hazards to the security or integrity of such
information; and
Protect against unauthorized access to or use of such information that could result in
substantial harm or inconvenience to any customer.
The guidelines outline specific measures institutions should consider in implementing a security
program. These measures include:
Identifying and assessing the risks that may threaten consumer information;
Developing a written plan containing policies and procedures to manage and control these
risks;
Implementing and testing the plan; and
Adjusting the plan on a continuing basis to account for changes in technology, the sensitivity
of customer information, and internal or external threats to information security.
The guidelines also outline the responsibilities of management to oversee the protection of
customer information including the security of customer information maintained or processed by
service providers. Oversight of third-party service providers and vendors is discussed in this
booklet under the headings “Board and Management Oversight” and “Managing Outsourcing
Relationships.” Additional information on the guidelines can be found in the IT Handbook’s
“Management Booklet.” The IT Handbook’s “Information Security Booklet” presents additional
information on the risk assessment process and information processing controls.
The guidelines required by the GLBA apply to customer information stored in electronic form as
well as paper-based records. Examination procedures specifically addressing compliance with
the GLBA guidelines can be accessed through the agency websites listed in the reference section
of this booklet. Although the guidelines supporting GLBA define customer as “a consumer who
has a customer relationship with the institution,” management should consider expanding the
written information security program to cover the institution’s own confidential records as well
as confidential information about its commercial customers.
INFORMATION SECURITY CONTROLS
Security threats can affect a financial institution through numerous vulnerabilities. No single
control or security device can adequately protect a system connected to a public network.
Effective information security comes only from establishing layers of various control,
monitoring, and testing methods. While the details of any control and the effectiveness of risk
mitigation depend on many factors, in general, each financial institution with external
connectivity should ensure the following controls exist internally or at their TSP.
Ongoing knowledge of attack sources, scenarios, and techniques. Financial institutions
should maintain an ongoing awareness of attack threats through membership in information-
sharing entities such as the Financial Services - Information Sharing and Analysis Center
(FS-ISAC), Infragard, the CERT Coordination Center, private mailing lists, and other
security information sources. All defensive measures are based on knowledge of the
attacker’s capabilities and goals, as well as the probability of attack.
Up-to-date equipment inventories, and network maps. Financial institutions should have
inventories of machines and software sufficient to support timely security updating and
audits of authorized equipment and software. In addition, institutions should understand and
document the connectivity between various network components including remote users,
internal databases, and gateway servers to third parties. Inventories of hardware and the
software on each system can accelerate the institution’s response to newly discovered
vulnerabilities and support the proactive identification of unauthorized devices or software.
Rapid response capability to react to newly discovered vulnerabilities. Financial institutions
should have a reliable process to become aware of new vulnerabilities and to react as
necessary to mitigate the risks posed by newly discovered vulnerabilities. Software is seldom
flawless. Some of those flaws may represent security vulnerabilities, and the financial
institution may need to correct the software code using temporary fixes, sometimes called a
“patch.” In some cases, management may mitigate the risk by reconfiguring other computing
devices. Frequently, the financial institution must respond rapidly, because a widely known
vulnerability is subject to an increasing number of attacks.
Network access controls over external connections. Financial institutions should carefully
control external access through all channels including remote dial-up, virtual private network
connections, gateway servers, or wireless access points. Typically, firewalls are used to
enforce an institution’s policy over traffic entering the institution’s network. Firewalls are
also used to create a logical buffer, called a “demilitarized zone,” or DMZ, where servers are
placed that receive external traffic. The DMZ is situated between the outside and the internal
network and prevents direct access between the two. Financial institutions should use
firewalls to enforce policies regarding acceptable traffic and to screen the internal network
from directly receiving external traffic.
System hardening. Financial institutions should “harden” their systems prior to placing them
in a production environment. Computer equipment and software are frequently shipped from
the manufacturer with default configurations and passwords that are not sufficiently secure
for a financial institution environment. System “hardening” is the process of removing or
disabling unnecessary or insecure services and files. A number of organizations have current
efforts under way to develop security benchmarks for various vendor systems. Financial
institutions should assess their systems against these standards when available.
Controls to prevent malicious code. Financial institutions should reduce the risks posed by
malicious code by, among other things, educating employees in safe computing practices,
installing anti-virus software on servers and desktops, maintaining up-to-date virus definition
files, and configuring their systems to protect against the automatic execution of malicious
code. Malicious code can deny or degrade the availability of computing services; steal, alter,
or insert information; and destroy any potential evidence for criminal prosecution. Various
types of malicious code exist including viruses, worms, and scripts using active content.
Rapid intrusion detection and response procedures. Financial institutions should have
mechanisms in place to reduce the risk of undetected system intrusions. Computing systems
are never perfectly secure. When a security failure occurs and an attacker is “in” the
institution’s system, only rapid detection and reaction can minimize any damage that might
occur. Techniques used to identify intrusions include intrusion detection systems (IDS) for
the network and individual servers (i.e., host computer), automated log correlation and
analysis, and the identification and analysis of operational anomalies.
Physical security of computing devices. Financial institutions should mitigate the risk posed
by unauthorized physical access to computer equipment through such techniques as placing
servers and network devices in areas that are available only to specifically authorized
personnel and restricting administrative access to machines in those limited access areas. An
attacker’s physical access to computers and network devices can compromise all other
security controls. Computers used by vendors and employees for remote access to the
institution’s systems are also subject to compromise. Financial institutions should ensure
these computers meet security and configuration requirements regardless of the controls
governing remote access.
User enrollment, change, and termination procedures. Financial institutions should have a
strong policy and well-administered procedures to positively identify authorized users when
given initial system access (enrollment) and, thereafter, to limit the extent of their access to
that required for business purposes, to promptly increase or decrease the degree of access to
mirror changing job responsibilities, and to terminate access in a timely manner when access
is no longer needed.
Authorized use policy. Each financial institution should have a policy that addresses the
systems various users can access, the activities they are authorized to perform, prohibitions
against malicious activities and unsafe computing practices, and consequences for
noncompliance. All internal system users and contractors should be trained in, and
acknowledge that they will abide by, rules that govern their use of the institution’s system.
Training. Financial institutions should have processes to identify, monitor, and address
training needs. Each financial institution should train their personnel in the technologies they
use and the institution’s rules governing the use of that technology. Technical training is
particularly important for those who oversee the key technology controls such as firewalls,
intrusion detection, and device configuration. Security awareness training is important for all
users, including the institution’s e-banking customers.
Independent testing. Financial institutions should have a testing plan that identifies control
objectives; schedules tests of the controls used to meet those objectives; ensures prompt
corrective action where deficiencies are identified; and provides independent assurance for
compliance with security policies. Security tests are necessary to identify control
deficiencies. An effective testing plan identifies the key controls, then tests those controls at
a frequency based on the risk that the control is not functioning. Security testing should
include independent tests conducted by personnel without direct responsibility for security
administration. Adverse test results indicate a control is not functioning and cannot be relied
upon. Follow-up can include correction of the specific control, as well as a search for, and
correction of, a root cause. Types of tests include audits, security assessments, vulnerability
scans, and penetration tests.
Bibliography:-

1. Internet Security. Http://cfn.cs.dal.ca/Education/CGA/netsec.html

2. Encryption Issues. Http://www.muc.edu:80/cwis/person/student/lockett/encryption.html

3. Security Comes First With Online Banking at Security First Network Bank.
Http://www.hp.com/ibpprogs/gsy/advantage/june96/custspot.html

4. Solving the Puzzel of Secure Electronic Commerce. Http://www.rsa.com/set[bankset.htm

5. The comp.security.pgp FAQ. Http://www.gpg.net/gppnet/pgp-faq/faq-0l.html#1.3

6. The comp.security.gpg FAQ. Http://www.pgp.net/pgpnet/pgp-faq/faq-05.html

7. The comp.security.gpg FAQ. Http://www.pgp.net/pgpnet/pgp-faq/faq-03.html

8. The comp.security.gpg FAQ. Http://www.pgp.net/pgpnet/pgp-faq/faq-06.html

9. The McCHIP. Http://www.esd.de/eng/chip/index3.htm